Mitigating malware and ransomware attacks
This article is to provide guidance and actions to organizations to deal with the effects of a malware attacks, including ransomware. The objective is to reduce the likelihood of becoming infected, reduce the spread of malware throughout your organization, and reduce the impact of the infection should you be breached.
What is malware?
Malware is malicious software, which if capable of running can cause harm in many ways, including:
- causing a device to become locked or unusable
- stealing, deleting, or encrypting data
- taking control of your devices to attack other organizations
- obtaining credentials which allow access to your organization’s systems or services that you use
- ‘mining’ cryptocurrency
- using services that may cost you money (ie, premium rate phone calls).
What is ransomware?
Ransomware is a type of malware that prevents you from accessing your computer or the data that are stored on the device. The computer or servers may become locked, the data might be stolen, deleted, or encrypted. Some ransomware will also try to spread to other machines on the network.
Usually, you’re asked to contact the attacker via an anonymous email address or follow instructions on an anonymous web page, or a note left on the system to make payment. The payment is invariably demanded in a cryptocurrency such as Bitcoin, in order to unlock your computer, or access your data. However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files. Occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted.
Using a defense strategy
Since there is no way to completely protect your organization against malware infection, you should adopt an in-depth defense approach. This means using layers of defense with several types of mitigations at each layer. You will have more opportunities to deter, detect, and stop malware before it causes real harm to your organization. You should assume that some malware will infiltrate your organization at some point. You should take steps to limit the impact this would cause and have a rapid response to isolate the virus and stop it from replicating itself throughout your device and network. The rapid clean up and restoration of business services to company data is essential to regain full featured operations.
Critical – Make frequent backups and test them regularly
Up-to-date and tested backups are the most effective way of recovering from a ransomware attack, you should do the following.
- Make regular backups of your most important files – it will be different for every organization – check that you know how to restore files from the backup, and regularly test that it is working as expected.
- Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment.
- Make multiple copies of files using different backup solutions and storage locations. You should not rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.
- Make sure that the devices containing your backup (such as external hard drives and USB sticks) are notpermanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more difficult.
- You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible – cloud services often automatically synchronize immediately after your files have been replaced with encrypted copies.
- Ensure that backups are only connected to known clean devices before starting recovery.
- Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period and replicated to backups before being discovered.
- Regularly patch products used for backup, so attackers cannot exploit any known vulnerabilities they might contain.
There have been cases where attackers have destroyed copied files or disrupted recovery processes before conducting ransomware attacks. Ideally, backup accounts and solutions should be protected using Privileged Access Workstations (PAW) and hardware firewalls to enforce IP allow listing. Multifactor Authentication (MFA) should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups.
Prevent Malware from being delivered and spread to devices
You can reduce the likelihood of malicious content reaching your devices with a combination of:
- filtering to only allow file types you would expect to receive
- blocking websites that are known to be malicious
- actively inspecting content
- using signatures to block known malicious code
These are typically done by network services rather than users’ devices. Examples include:
- Mail and Spam Filtering which can block malicious emails and remove executable attachments.
- intercepting proxies, which block known-malicious websites
- internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware
- safe browsing lists within your web browsers which can prevent access to sites known to be hosting malicious content
Ransomware is increasingly being deployed by attackers who have gained access remotely via exposed services such as Remote Desktop Protocol (RDP), or unpatched remote access devices. To prevent this organizations should:
- enable MFA at all remote access points into the network, and enforce IP allow listing using hardware firewalls
- use an approved VPN for remote access to services; Software as a Service or other services exposed to the internet should use Single Sign-On (SSO) where access policies can be defined.
- use the least privilege model for providing remote access – use low privilege accounts to authenticate, and provide an audited process to allow a user to escalate their privileges within the remote session where necessary
- patch known vulnerabilities in all remote access and external facing devices immediately, and follow vendor remediation guidance including the installation of new patches as soon as they become available
Prevent malware from running on devices
An in-depth defense approach assumes that malware will reach your devices. You should therefore take steps to prevent malware from running. The measures required will vary for each device type, OS and version, but in general you should look to use device-level security features.
Organizations should:
- centrally manage devices in order to only permit applications trusted by the enterprise to run on devices, using technologies including and application locker, or zero trust security applications.
- Use enterprise antivirus and anti-malware products on your systems and keep them up to date with the latest definitions.
- provide security education and awareness training to your people
- disable or constrain scripting environments and macros, by:
- enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy.
- disable auto-run for mounted media (prevent the use of removable media if it is not needed)
In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up to date. We recommend that you:
- install security updates as soon as they become available in order to fix exploitable bugs in your products
- enable automatic updates for OSs, applications, and firmware
- use the latest versions of OSs and applications to take advantage of the latest security features
- configure host-based and network firewalls, disallowing inbound connections by default